Slashdot Mirror

← Back to Stories (view on slashdot.org)

Brazilian Coders Are Pioneering the First Cross-OS Malware Using JAR Files

Posted by timothy on from the run-anywhere dept.

An anonymous reader writes: Criminal gangs in Brazil are experimenting with the first malware families that are packaged as JAR files, capable of being deployed to Windows, Linux, Mac, and even Android from the same codebase, instead of relying on 4 different versions. Right now, only the malware dropper, a component used to infect computers with banking trojans, seems to have been coded in Java, but security experts expect a full-blown banking trojan to soon follow.

63 of 124 comments (clear)

  1. Re:Does anyone actually install a JRE any more? by Todd+Knarr · · Score: 5, Interesting

    It wouldn't need to run as a browser plugin. The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application. I suspect a lot of people have it because Oracle's made deals to have it included on the manufacturer's images, and those people don't have a clue what Java is or how to remove it so that's a problem.

    I am, however, surprised it took them this long to come up with this idea. It's fairly standard on Unix systems, that's how cross-platform scripting of all sorts is done.

  2. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 1

    Ah, but if the malware needs a Java Runtime Enviroment then it can just install that, too. :)

    The bigger question, though, is whether being the language of choice for writing malware is a plus or a minus for a language. I mean, let's say someone writes some very clever malware in C. Does that mean that C is a powerful and expressive language? Or does it mean that C is the devil?

    Well, that's a bad analogy because we already know that C is the devil. But you get the picture.

  3. That's it, I'm switching to CP/M by Anonymous Coward · · Score: 5, Funny

    There's no Java for CP/M-Z80, so I'm safe from being target by cross platform malware [or being targeted by applications in general].

    1. Re:That's it, I'm switching to CP/M by Anonymous Coward · · Score: 1

      But what if they wrote it in Turbo Pascal? You should get an 8085 just to be sure!

    2. Re:That's it, I'm switching to CP/M by cstdenis · · Score: 1

      So much for write once, run anywhere.

      --
      1984 was not supposed to be an instruction manual.
  4. So using Java exactly what it was designed for? by Anonymous Coward · · Score: 5, Informative

    Guess all those memories of viruses from the 80's containing executable code valid on multiple processors are all my fevered imagination. Who knew that the first cross-OS malware was definitely only being written now, in 2016, in Java.

    Wait, no, just the dropper. Congrats guys, you've discovered a platform-independent way of opening a stream from somewhere on the internet and dumping it to a file. Definitely pushing the envelope of Java to do that, I mean it's not like it comes with any sockets or file API specifically designed for stuff like that.

    Give me a break. I was hoping to hear about something actually creative, like PDF or jpeg with multiple exploits for common Windows/Mac/Linux viewers or decode libraries, that causes a jump into the appropriate shellcode for each platform depending on what it's viewed on. This story is a non-event.

    1. Re:So using Java exactly what it was designed for? by TheRaven64 · · Score: 3, Interesting

      It is a bit of a stretch. There was a nice entry into the IOCC a few years ago that was a program that was valid as C program, a shell script, or a makefile. Running it as either a shell script or makefile would compile the C program, which would then print its output. There's been some interesting recent research involving isolating instructions that are NOPs on various architectures and writing exploit code that is a valid executable on both x86 and ARM (it doesn't have to be long, because you can encode a jump to the architecture-specific version in the portable code).

      It's worth noting that this is even (almost) the official and documented way of writing a cross-architecture Windows binary: you have a little .NET stub that P/Invoke's the native binary for the architecture that it detects.

      --
      I am TheRaven on Soylent News
    2. Re:So using Java exactly what it was designed for? by MachineShedFred · · Score: 1

      I was thinking exactly this. Glad to hear that only now are we seeing a 'cross-platform' malware, and that the untold numbers of Excel macro viruses, Outlook exploits, PDF exploits, Flash exploits, etc. don't count. Only when you use Java to do something it was actually designed to do (as you described) do you become 'the first cross-platform malware.'

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  5. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 1

    tl;dr: nearly all banks require jre here.

    As a Brazilian, i must say: a LOT of lazy coders rely on java for everything.

    i am not bashing java, i meant relying on it for EVERYTHING.
    (even on my cs graduation some teachers where promoting java as the only language you will ever use, forever)

    to make things worse, they usually make very sloppy code, that even rely on older, vulnerable and discontinued jre versions.
    (not kidding, the government is the main culprit and even run critical web stuff that still require i.e. 6.0 emulation to work)

    and well.. awkwardly speaking, nearly all banks require jre. (some do offer workarounds)

  6. "First Cross-OS Malware Using JAR Files" by Anonymous Coward · · Score: 5, Funny

    "First Cross-OS Malware Using JAR Files"

    I used to have that one. It was developed by Sun, and called the Java plugin.

    1. Re:"First Cross-OS Malware Using JAR Files" by ruir · · Score: 1

      Best comment so far!

  7. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 5, Funny

    Well, that's a bad analogy because we already know that C is the devil. But you get the picture.

    Well, any reasonably skilled programmer have several deals with the devil, and for about half of them the devil feels he got the short end of the stick.

    My comments are usually ascii pentagrams, but they only show with a tabsize of 4.

  8. Re:Does anyone actually install a JRE any more? by Anonymous Coward · · Score: 1

    *cross-platform scripting* usually involves perl, sh or similar scripting language. There really is no need to use java for that. And no, it isn't standard at all. If I need java on a system for a new fancy software I always have to install it first. You get flash preinstalled more often than java.

    It also isn't that hard to deploy a miniperl to provide a runtime on systems without built-in perl (aka windows).

  9. JAR capable of being deployed to Linux by tetraverse · · Score: 3, Insightful

    How exactly does this JAR file get downloaded and executed on a Linux system, without enduser action.

    1. Re:JAR capable of being deployed to Linux by Anonymous Coward · · Score: 1

      So many dell dracs so little time lol

    2. Re:JAR capable of being deployed to Linux by MrCoke · · Score: 2

      "Press OK to enter our contest and win an iPhone 6/..."

    3. Re:JAR capable of being deployed to Linux by delt0r · · Score: 1

      Or any other system for that matter. Or just a plain exe file or .sh on unix? STUPID USERS. As always. PEBCAK

      --
      If information wants to be free, why does my internet connection cost so much?
    4. Re:JAR capable of being deployed to Linux by edtice1559 · · Score: 1

      It may be the most deployed OS, but it's not the most-deployed end-user OS. If you are going to target Linux, using social engineering to install Malware may be very difficult. If you succeed, the person you targeted will most likely end up installing it on a Windows desktop even if they are the Linux admin. To attack infrastructure you use much different techniques.

  10. Java: write once by Kartu · · Score: 1

    "Java: write once, run anywhere"

    Sorry, couldn't help.

  11. First? by Anonymous Coward · · Score: 4, Informative

    I don't think so.

    http://virus.wikidot.com/esperanto

  12. Re:Does anyone actually install a JRE any more? by Racemaniac · · Score: 1

    Anyone interested in arduino for starters?

  13. Like linux users needed by silentcoder · · Score: 1

    another reason to uninstall java.

    --
    Unicode killed the ASCII-art *
    1. Re: Like linux users needed by silentcoder · · Score: 1

      I dont have a thousand other reasons not to install C support. Also, unlike java, C lets me run some actually usefull programs.

      --
      Unicode killed the ASCII-art *
    2. Re: Like linux users needed by silentcoder · · Score: 1

      And guaranteed to be 50 times as long as it should have been. Deep inside java was a functional, elegant and readable OO language trying to get out. Its name was python.

      --
      Unicode killed the ASCII-art *
    3. Re: Like linux users needed by jalet · · Score: 1

      > In Java's case, your code is automatically portable and can execute on any OS that has a JRE installed (write once, run anywhere).

      Thanks for the laugh !!!

      --
      Votez ecolo : Chiez dans l'urne !
    4. Re: Like linux users needed by GodelEscherBlecch · · Score: 1
      In 10 years of developing combined J2EE/C++ systems on Windows and deploying them to Linux, I have seen precisely these differences running the same Java code in different operating systems:

      1) FS calls tend to be faster in Linux

      2) FS paths are different if you are too stupid to use the abstraction API properly

      3) One time a math function returned a different value. Turned out it was in the Wolfram .so file, which they patched.

      I know the hate bandwagon is a tempting position when you're not too bright, but you really should try to think about what you say before you embarrass yourself.

    5. Re: Like linux users needed by delt0r · · Score: 1

      As long as you don't do *anything* it is portable. Use a tcp socket, open a window, Use threads... and BANG, no longer portable.

      --
      If information wants to be free, why does my internet connection cost so much?
  14. Re:So Brazilan criminals are by silentcoder · · Score: 1

    >Dice employees used to be the lowest form of life

    Used to be ?!??!?!

    --
    Unicode killed the ASCII-art *
  15. New slogan by antifoidulus · · Score: 1

    Write once, pwn everwhere!

    --
    Monstar L
  16. First? My ass... by evilviper · · Score: 5, Informative

    2008: http://citeseerx.ist.psu.edu/v...

    2009: https://en.wikipedia.org/wiki/...

    2010: https://nakedsecurity.sophos.c...

    Look what some moron said about the same subject back in 2011:
    http://www.developers.slashdot...

    2012: https://www.intego.com/mac-sec...

    2012: http://www.zdnet.com/article/c...

    2012: http://www.infosecisland.com/b...

    etc., etc.

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    1. Re:First? My ass... by gatkinso · · Score: 1

      You'd think the OP never played Minecraft.

      --
      I am very small, utmostly microscopic.
  17. Re:Does anyone actually install a JRE any more? by hairyfeet · · Score: 1

    Uhhh...last I checked everyone that has Minecraft has Java, that is a LOT of Java installs.

    That is why I hate the git that made Minecraft, after years of watching Java die on the desktop here comes this twirp that makes an insanely popular game in java and BAM! Piles of shitty Java installs cropping up everywhere.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  18. Re:Does anyone actually install a JRE any more? by beakerMeep · · Score: 2

    The idea here is to use some other exploit to gain access and drop the .jar file onto the system, then run it as a regular local application.

    If malware gains local application code execution, then the target user is pretty much farked anyways -- the language used is irrelevant.

    --
    meep
  19. Smells like a difamatory campain to me... by fbobraga · · Score: 1

    I'm a Brazillian that works with IT, and it's the first time that I'm hearing something about it: it seems to me like a pretty bad-made SCAM :/ * I may be wrong, but I doubt it :P

    1. Re:Smells like a difamatory campain to me... by KGIII · · Score: 1

      En Inglés es "defamatory" y "campaign." Mí Español es malo, es muy mierda.

      --
      "So long and thanks for all the fish."
    2. Re:Smells like a difamatory campain to me... by KGIII · · Score: 1

      Ah. No habla portugués! ;-)

      --
      "So long and thanks for all the fish."
    3. Re: Smells like a difamatory campain to me... by fbobraga · · Score: 1

      I duobt it, sr. Anonymous Coward * You must know that Brazilian Constitution explicitly forbids anonymity, huh?

  20. Qubes and virtualisation by John+Allsup · · Score: 1

    This is why OS architectures like Qubes are important. This is why Linux systems (and everything else) should work more like that. It is also why the principle of least authority needs to make its way out of textbooks and into real life. Malware like this can work because it is given permission to work. There is no reason things need to be that way, except for laziness of programmers.

    --
    John_Chalisque
    1. Re:Qubes and virtualisation by tobiasly · · Score: 2

      This is why OS architectures like Qubes are important. This is why Linux systems (and everything else) should work more like that. It is also why the principle of least authority needs to make its way out of textbooks and into real life.

      When something that sounds great in a textbook never makes it to real life, there's usually a pretty good reason.

  21. Re:Does anyone actually install a JRE any more? by Flavianoep · · Score: 1

    Brazilians rely on JRE to process their income tax.

    --
    Linux is for people who don't mind RTFM.
  22. Re:Does anyone actually install a JRE any more? by Flavianoep · · Score: 1

    I wish our crackers were more patriotic. Last week, we learned about some malware that fails to work in computers located in Russia; why can't our malware coders create pieces of malware that *fail* when they find a JRE?

    --
    Linux is for people who don't mind RTFM.
  23. Odd editorial tone. by sabbede · · Score: 1

    It's written like a piece on an OSS project. When I got to the end, I was thinking, "Why are these researchers making malware?" Had to go back and re-read the first two words.

  24. Hardly the first jar based malware by gatkinso · · Score: 1

    Download some Minecraft mods, take a peek inside.

    All the more insidious because generally it is children installing said mods.

    --
    I am very small, utmostly microscopic.
    1. Re:Hardly the first jar based malware by cstdenis · · Score: 1

      What mods are you referring to? The mod community seems to be pretty safe overall from what I've seen.

      --
      1984 was not supposed to be an instruction manual.
  25. Re:Does anyone actually install a JRE any more? by randomErr · · Score: 1

    I need it to play Minecraft. So yes, yes I do.

    --
    You say things that offend me and I can deal with it. Can you?
  26. Re:Does anyone actually install a JRE any more? by AchilleTalon · · Score: 1

    Almost every smart phone does. The browser thing is just irrelevant, you obviously do not understand anything about this ecosystem.

    --
    Achille Talon
    Hop!
  27. Macs? Really? by U2xhc2hkb3QgU3Vja3M · · Score: 1

    Don't mind the little fact that Macs don't even come with Java pre-installed anymore.

    1. Re:Macs? Really? by Anonymous Coward · · Score: 1

      Don't mind the little fact that Macs don't even come with Java pre-installed anymore.

      Last time I checked neither do most other popular desktop operating systems. What's your point?

  28. Re:Does anyone actually install a JRE any more? by LiENUS · · Score: 1

    Almost every smart phone does.

    Almost every smart phone, except for Android and iPhone where the JRE isn't available at all...

  29. Re:Maybe, but by fbobraga · · Score: 1

    Full of shit! * but the drinking water, for the Olympics in Rio, is very well drinkable (the Guanabara Bay is not a source of drinking water :P) * I live in Rio Claro / SP (not really very near of Guanabara Bay, thought...)

  30. These people have never worked in web hosting by mr_mischief · · Score: 1

    There are plenty of malware packages in PHP, Perl, Python, and Ruby that will search for vulnerable web apps, infiltrate a hosting account, then set up web-accessible shells written in the same languages and continue on to find more vulnerable apps and accounts.

  31. Re:Does anyone actually install a JRE any more? by dougmc · · Score: 1

    Does anyone actually install a JRE any more?

    Yeah, I didn't think it was very many.

    Yes, lots of people install JREs.

    The browser plugin isn't used much anymore, but there's lots of applications that use Java on a desktop (and lots, lots more that use it on servers, but I'll leave them alone for now.)

    Some ones that come to mind are Minecraft, Eclipse (and a bunch of other programming IDEs and tools), Roboforge, OpenOffice, Vuze, Runescape, FreeCol, JOSM, Genj ...

  32. Re:Does anyone actually install a JRE any more? by JustAnotherOldGuy · · Score: 1

    Hell, I haven't had Java installed in years, maybe a decade.

    It was of limited use and screwed up other stuff, and it made my PC slow to a crawl.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  33. Re:Does anyone actually install a JRE any more? by LiENUS · · Score: 1

    They still have JVMs

    No they don't. all of he "JVM" stuff for ios runs on the development machine and does static translation to native code.

    (android even moved BACK to oracles and ditched Dalvik)

    No they didn't. They ditched the harmony project and started using the openjdk libraries.
    The VM itself is still dalvik only instead of going right from dalvik opcodes to native code it goes dalvik->llvm->native code.
    Android does not and has never supported java bytecode. You must recompile java bytecode to dalvik bytecode on your development ahead of time. Just like if you want to use java with ios. This means a jar file containing java bytecode will not and can not run on iPhones or android phones.

  34. JAR? For Android? Really? Which Browser by Cafe+Alpha · · Score: 1

    automatically converts and runs JRE files in Android?
    I don't believe it.

  35. Re:Does anyone actually install a JRE any more? by KGIII · · Score: 1

    You're kidding, right?

    --
    "So long and thanks for all the fish."
  36. Re:So Brazilan criminals are by KGIII · · Score: 1

    Well, they've sold /. so, presumably, they've moved up a notch.

    --
    "So long and thanks for all the fish."
  37. Re:Does anyone actually install a JRE any more? by delt0r · · Score: 1

    Yea he is so incompetent to get the idea to execution first and a billion on the way. Your just Jealous

    --
    If information wants to be free, why does my internet connection cost so much?
  38. If we assume they are written in Java... by theendlessnow · · Score: 1

    If we assume they are written in Java... then certainly we can do some profiling... just look for people with less hair.

  39. Re:Does anyone actually install a JRE any more? by drinkypoo · · Score: 1

    Yea he is so incompetent to get the idea to execution first and a billion on the way. Your just Jealous

    He wasn't the first to get the idea into a game, though. He was the first to make it popular. Sadly, popular and good are orthogonal axes on the chart.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  40. Re:Does anyone actually install a JRE any more? by Todd+Knarr · · Score: 1

    Or in Ruby, or Python, or any number of other languages. Java's just another entry in the list here. Frankly I'd've expected the first cross-platform malware to be in Perl, and to have shown up at least 10 years ago. I'm not sure AV tools would even recognize a Perl program as malware...

  41. Re:So Brazilan criminals are by silentcoder · · Score: 1

    I think of it more as /. getting a shot of penicillin actually.

    --
    Unicode killed the ASCII-art *
  42. Re:Does anyone actually install a JRE any more? by hairyfeet · · Score: 1

    Are you REALLY this fucking dumb or are you just such a giant fangirl that the thought of anybody pointing out that "ur fav game its bestest evar!" had a very poorly thought out backend make you rush to post without engaging your tiny brain? That is if it does exist.

    I don't give a rat's ass if he made a good game or not what I DO give a fuck about is he used the most dangerous runtime in existence to make the fucking thing, for fucks sake he may have well used ActiveX for the level of risk he put his customers in. in this day and age when there are literally dozens of game engines to choose from makes his brain dead fucking choice all the more egregious and the only nice thing I can say about it is since MSFT bought it I'm sure it'll end up porting off Java which will be a truly wonderful day for everyone...well except for you who are apparently too dumb to understand anything complex like PC security or risk factors. Sorry I don't have time to break out MS Paint and draw you some pictures to explain in a way you can understand but I have grown up things to do kid.

    --
    ACs don't waste your time replying, your posts are never seen by me.